SUSE Security Update: Security update for Xen
______________________________________________________________________________

Announcement ID:    SUSE-SU-2013:1075-1
Rating:             important
References:         #801663 #809662 #813673 #813675 #813677 #814709 
                    #816156 #816159 #816163 #819416 #820917 #820919 
                    #820920 
Cross-References:   CVE-2013-1917 CVE-2013-1918 CVE-2013-1919
                    CVE-2013-1920 CVE-2013-1952 CVE-2013-1964
                    CVE-2013-2072 CVE-2013-2076 CVE-2013-2077
                    CVE-2013-2078
Affected Products:
                    SUSE Linux Enterprise Software Development Kit 11 SP2
                    SUSE Linux Enterprise Server 11 SP2 for VMware
                    SUSE Linux Enterprise Server 11 SP2
                    SUSE Linux Enterprise Desktop 11 SP2
______________________________________________________________________________

   An update that solves 10 vulnerabilities and has three
   fixes is now available.

Description:


   XEN has been updated to 4.1.5 c/s 23509 to fix various bugs
   and security  issues.

   The following security issues have been fixed:

   *

   CVE-2013-1918: Certain page table manipulation
   operations in Xen 4.1.x, 4.2.x, and earlier were not
   preemptible, which allowed local PV kernels to cause a
   denial of service via vectors related to deep page table
   traversal.

   *

   CVE-2013-1952: Xen 4.x, when using Intel VT-d for a
   bus mastering capable PCI device, did not properly check
   the source when accessing a bridge devices interrupt
   remapping table entries for MSI interrupts, which allowed
   local guest domains to cause a denial of service (interrupt
   injection) via unspecified vectors.

   *

   CVE-2013-2076: A information leak in the XSAVE/XRSTOR
   instructions could be used to determine state of floating
   point operations in other domains.

   *

   CVE-2013-2077: A denial of service (hypervisor crash)
   was possible due to missing exception recovery on XRSTOR,
   that could be used to crash the machine by PV guest users.

   *

   CVE-2013-2078: A denial of service (hypervisor crash)
   was possible due to missing exception recovery on XSETBV,
   that could be used to crash the machine by PV guest users.

   *

   CVE-2013-2072: Systems which allow untrusted
   administrators to configure guest vcpu affinity may be
   exploited to trigger a buffer overrun and corrupt memory.

   *

   CVE-2013-1917: Xen 3.1 through 4.x, when running
   64-bit hosts on Intel CPUs, did not clear the NT flag when
   using an IRET after a SYSENTER instruction, which allowed
   PV guest users to cause a denial of service (hypervisor
   crash) by triggering a #GP fault, which is not properly
   handled by another IRET instruction.

   *

   CVE-2013-1919: Xen 4.2.x and 4.1.x did not properly
   restrict access to IRQs, which allowed local stub domain
   clients to gain access to IRQs and cause a denial of
   service via vectors related to "passed-through IRQs or PCI
   devices."

   *

   CVE-2013-1920: Xen 4.2.x, 4.1.x, and earlier, when
   the hypervisor is running "under memory pressure" and the
   Xen Security Module (XSM) is enabled, used the wrong
   ordering of operations when extending the per-domain event
   channel tracking table, which caused a use-after-free and
   allowed local guest kernels to inject arbitrary events and
   gain privileges via unspecified vectors.

   *

   CVE-2013-1964: Xen 4.0.x and 4.1.x incorrectly
   released a grant reference when releasing a non-v1,
   non-transitive grant, which allowed local guest
   administrators to cause a denial of service (host crash),
   obtain sensitive information, or possible have other
   impacts via unspecified vectors.

   Bugfixes:

   *

   Upstream patches from Jan
   26956-x86-mm-preemptible-cleanup.patch
   27071-x86-IO-APIC-fix-guest-RTE-write-corner-cases.patch
   27072-x86-shadow-fix-off-by-one-in-MMIO-permission-check.pat
   ch 27079-fix-XSA-46-regression-with-xend-xm.patch
   27083-AMD-iommu-SR56x0-Erratum-64-Reset-all-head-tail-pointe
   rs.patch

   *

   Update to Xen 4.1.5 c/s 23509 There were many
   xen.spec file patches dropped as now being included in the
   4.1.5 tarball.

   *

   bnc#809662 - can't use pv-grub to start domU (pygrub
   does work) xen.spec

   *

   Upstream patches from Jan
   26702-powernow-add-fixups-for-AMD-P-state-figures.patch
   26704-x86-MCA-suppress-bank-clearing-for-certain-injected-ev
   ents.patch
   26731-AMD-IOMMU-Process-softirqs-while-building-dom0-iommu-m
   appings.patch
   26733-VT-d-Enumerate-IOMMUs-when-listing-capabilities.patch
   26734-ACPI-ERST-Name-table-in-otherwise-opaque-error-message
   s.patch
   26736-ACPI-APEI-Unlock-apei_iomaps_lock-on-error-path.patch
   26737-ACPI-APEI-Add-apei_exec_run_optional.patch
   26742-IOMMU-properly-check-whether-interrupt-remapping-is-en
   abled.patch 26743-VT-d-deal-with-5500-5520-X58-errata.patch
   26744-AMD-IOMMU-allow-disabling-only-interrupt-remapping.pat
   ch
   26749-x86-reserve-pages-when-SandyBridge-integrated-graphics
   .patch
   26765-hvm-Clean-up-vlapic_reg_write-error-propagation.patch
   26770-x86-irq_move_cleanup_interrupt-must-ignore-legacy-vect
   ors.patch
   26771-x86-S3-Restore-broken-vcpu-affinity-on-resume.patch
   26772-VMX-Always-disable-SMEP-when-guest-is-in-non-paging-mo
   de.patch
   26773-x86-mm-shadow-spurious-warning-when-unmapping-xenheap-
   pages.patch
   26799-x86-don-t-pass-negative-time-to-gtime_to_gtsc.patch
   26851-iommu-crash-Interrupt-remapping-is-also-disabled-on-cr
   ash.patch

   *

   bnc#814709 - Unable to create XEN virtual machines in
   SLED 11 SP2 on Kyoto xend-cpuinfo-model-name.patch

   *

   Upstream patches from Jan
   26536-xenoprof-div-by-0.patch
   26578-AMD-IOMMU-replace-BUG_ON.patch
   26656-x86-fix-null-pointer-dereference-in-intel_get_extended
   _msrs.patch 26659-AMD-IOMMU-erratum-746-workaround.patch
   26660-x86-fix-CMCI-injection.patch
   26672-vmx-fix-handling-of-NMI-VMEXIT.patch
   26673-Avoid-stale-pointer-when-moving-domain-to-another-cpup
   ool.patch
   26676-fix-compat-memory-exchange-op-splitting.patch
   26677-x86-make-certain-memory-sub-ops-return-valid-values.pa
   tch 26678-SEDF-avoid-gathering-vCPU-s-on-pCPU0.patch
   26679-x86-defer-processing-events-on-the-NMI-exit-path.patch
   26683-credit1-Use-atomic-bit-operations-for-the-flags-struct
   ure.patch 26692-x86-MSI-fully-protect-MSI-X-table.patch

   Security Issue references:

   * CVE-2013-1917
   
   * CVE-2013-1918
   
   * CVE-2013-1919
   
   * CVE-2013-1920
   
   * CVE-2013-1952
   
   * CVE-2013-1964
   
   * CVE-2013-2072
   
   * CVE-2013-2076
   
   * CVE-2013-2077
   
   * CVE-2013-2078
   


Special Instructions and Notes:

   Please reboot the system after installing this update.

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Software Development Kit 11 SP2:

      zypper in -t patch sdksp2-xen-201305-7798

   - SUSE Linux Enterprise Server 11 SP2 for VMware:

      zypper in -t patch slessp2-xen-201305-7798

   - SUSE Linux Enterprise Server 11 SP2:

      zypper in -t patch slessp2-xen-201305-7798

   - SUSE Linux Enterprise Desktop 11 SP2:

      zypper in -t patch sledsp2-xen-201305-7798

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Software Development Kit 11 SP2 (i586 x86_64):

      xen-devel-4.1.5_02-0.5.1

   - SUSE Linux Enterprise Server 11 SP2 for VMware (i586 x86_64):

      xen-kmp-trace-4.1.5_02_3.0.74_0.6.10-0.5.1

   - SUSE Linux Enterprise Server 11 SP2 (i586 x86_64):

      xen-kmp-default-4.1.5_02_3.0.74_0.6.10-0.5.1
      xen-kmp-trace-4.1.5_02_3.0.74_0.6.10-0.5.1
      xen-libs-4.1.5_02-0.5.1
      xen-tools-domU-4.1.5_02-0.5.1

   - SUSE Linux Enterprise Server 11 SP2 (x86_64):

      xen-4.1.5_02-0.5.1
      xen-doc-html-4.1.5_02-0.5.1
      xen-doc-pdf-4.1.5_02-0.5.1
      xen-libs-32bit-4.1.5_02-0.5.1
      xen-tools-4.1.5_02-0.5.1

   - SUSE Linux Enterprise Server 11 SP2 (i586):

      xen-kmp-pae-4.1.5_02_3.0.74_0.6.10-0.5.1

   - SUSE Linux Enterprise Desktop 11 SP2 (i586 x86_64):

      xen-kmp-default-4.1.5_02_3.0.74_0.6.10-0.5.1
      xen-kmp-trace-4.1.5_02_3.0.74_0.6.10-0.5.1
      xen-libs-4.1.5_02-0.5.1
      xen-tools-domU-4.1.5_02-0.5.1

   - SUSE Linux Enterprise Desktop 11 SP2 (x86_64):

      xen-4.1.5_02-0.5.1
      xen-doc-html-4.1.5_02-0.5.1
      xen-doc-pdf-4.1.5_02-0.5.1
      xen-libs-32bit-4.1.5_02-0.5.1
      xen-tools-4.1.5_02-0.5.1

   - SUSE Linux Enterprise Desktop 11 SP2 (i586):

      xen-kmp-pae-4.1.5_02_3.0.74_0.6.10-0.5.1


References:

   https://www.suse.com/security/cve/CVE-2013-1917.html
   https://www.suse.com/security/cve/CVE-2013-1918.html
   https://www.suse.com/security/cve/CVE-2013-1919.html
   https://www.suse.com/security/cve/CVE-2013-1920.html
   https://www.suse.com/security/cve/CVE-2013-1952.html
   https://www.suse.com/security/cve/CVE-2013-1964.html
   https://www.suse.com/security/cve/CVE-2013-2072.html
   https://www.suse.com/security/cve/CVE-2013-2076.html
   https://www.suse.com/security/cve/CVE-2013-2077.html
   https://www.suse.com/security/cve/CVE-2013-2078.html
   https://bugzilla.novell.com/801663
   https://bugzilla.novell.com/809662
   https://bugzilla.novell.com/813673
   https://bugzilla.novell.com/813675
   https://bugzilla.novell.com/813677
   https://bugzilla.novell.com/814709
   https://bugzilla.novell.com/816156
   https://bugzilla.novell.com/816159
   https://bugzilla.novell.com/816163
   https://bugzilla.novell.com/819416
   https://bugzilla.novell.com/820917
   https://bugzilla.novell.com/820919
   https://bugzilla.novell.com/820920
   https://login.microfocus.com/nidp/app/login